maintenance/jenkins: align Metis ingress, sentinel push, and CI job

services/maintenance/metis-configmap.yaml

@@ -6,7 +6,11 @@ metadata:
   namespace: maintenance
 data:
   METIS_DEFAULT_FLASH_NODE: titan-22
+  METIS_UI_BASE_URL: https://metis.bstein.dev
   METIS_METRICS_PORT: "8080"
   METIS_METRICS_PATH: /metrics
+  METIS_SENTINEL_PUSH_URL: http://metis.maintenance.svc.cluster.local/api/internal/sentinel/snapshots
+  METIS_SENTINEL_PUSH_TIMEOUT_SEC: "10"
+  METIS_SENTINEL_PUSH_INTERVAL_SEC: "120"
   METIS_SENTINEL_OUT: /var/run/metis-sentinel
-  METIS_SENTINEL_INTERVAL_SEC: "300"
+  METIS_SENTINEL_INTERVAL_SEC: "120"

services/maintenance/metis-deployment.yaml

@@ -21,23 +21,9 @@ spec:
     spec:
       serviceAccountName: metis
       nodeSelector:
+        kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
         node-role.kubernetes.io/worker: "true"
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/hostname
-                    operator: In
-                    values: ["titan-22"]
-            - weight: 25
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/hostname
-                    operator: In
-                    values: ["titan-24"]
       containers:
         - name: metis
           image: registry.bstein.dev/bstein/metis:latest

services/maintenance/metis-ingress.yaml

@@ -0,0 +1,27 @@
+# services/maintenance/metis-ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: metis
+  namespace: maintenance
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd
+spec:
+  tls:
+    - hosts: ["metis.bstein.dev"]
+      secretName: metis-tls
+  rules:
+    - host: metis.bstein.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: metis
+                port:
+                  number: 80

services/maintenance/metis-sentinel-daemonset.yaml

@@ -27,6 +27,27 @@ spec:
         - name: metis-sentinel
           image: registry.bstein.dev/bstein/metis-sentinel:latest
           imagePullPolicy: Always
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              set -eu
+              out_dir="${METIS_SENTINEL_OUT:-/var/run/metis-sentinel}"
+              interval="${METIS_SENTINEL_INTERVAL_SEC:-120}"
+              mkdir -p "${out_dir}"
+              while true; do
+                ts="$(date -u +%Y%m%dT%H%M%SZ)"
+                node="${METIS_SENTINEL_NODE:-unknown}"
+                tmp="${out_dir}/${node}-${ts}.json.tmp"
+                out="${out_dir}/${node}-${ts}.json"
+                if metis-sentinel > "${tmp}"; then
+                  mv "${tmp}" "${out}"
+                else
+                  rm -f "${tmp}" || true
+                fi
+                sleep "${interval}"
+              done
           envFrom:
             - configMapRef:
                 name: metis
@@ -39,9 +60,6 @@ spec:
             - name: http
               containerPort: 8080
           volumeMounts:
-            - name: host-root
-              mountPath: /host
-              readOnly: true
             - name: sentinel-output
               mountPath: /var/run/metis-sentinel
           resources:
@@ -56,9 +74,60 @@ spec:
             runAsUser: 0
             capabilities:
               drop: ["ALL"]
+        - name: sentinel-pusher
+          image: curlimages/curl:8.12.1
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              set -eu
+              out_dir="${METIS_SENTINEL_OUT:-/var/run/metis-sentinel}"
+              push_url="${METIS_SENTINEL_PUSH_URL:-}"
+              interval="${METIS_SENTINEL_PUSH_INTERVAL_SEC:-120}"
+              timeout="${METIS_SENTINEL_PUSH_TIMEOUT_SEC:-10}"
+              mkdir -p "${out_dir}"
+              while true; do
+                for snapshot in "${out_dir}"/*.json; do
+                  [ -f "${snapshot}" ] || continue
+                  if [ -z "${push_url}" ]; then
+                    break
+                  fi
+                  if curl -fsS --connect-timeout "${timeout}" --max-time "${timeout}" \
+                    -X POST \
+                    -H "Content-Type: application/json" \
+                    -H "X-Metis-Node: ${METIS_SENTINEL_NODE:-unknown}" \
+                    --data-binary "@${snapshot}" \
+                    "${push_url}"; then
+                    rm -f "${snapshot}"
+                  fi
+                done
+                sleep "${interval}"
+              done
+          envFrom:
+            - configMapRef:
+                name: metis
+          env:
+            - name: METIS_SENTINEL_NODE
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: sentinel-output
+              mountPath: /var/run/metis-sentinel
+          resources:
+            requests:
+              cpu: 10m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 0
+            capabilities:
+              drop: ["ALL"]
       volumes:
-        - name: host-root
-          hostPath:
-            path: /
         - name: sentinel-output
           emptyDir: {}